Duopoly insurers' incentives for data quality under a mandatory cyber data sharing regime

We study the impact of data sharing policies on cyber insurance markets. These policies have been proposed to address the scarcity of data about cyber threats, which is essential to manage cyber risks. We propose a Cournot duopoly competition model in which two insurers choose the number of policies they offer (i.e., their production level) and also the resources they invest to ensure the quality of data regarding the cost of claims (i.e., the data quality of their production cost). We find that enacting mandatory data sharing sometimes creates situations in which at most one of the two insurers invests in data quality, whereas both insurers would invest when information sharing is not mandatory. This raises concerns about the merits of making data sharing mandatory.Comment: 46 pages, 8 figures, to be published at Computers & Securit

Att göra eller icke göra, det är frågan! – En studie av Socialstyrelsens hantering av upplevd kontra kalkylerad risk i samband med fågelinfluensan

Modernitet är ett vanligt förekommande begrepp i den samhällsvetenskapliga diskursen och Anthony Giddens med flera talar om det risksamhälle som uppkommit till följd av moderniteten. Risksamhällets oöverskådlighet leder till behovet av expertgrupper och en ökande betydelse av vetenskaperna. I risksamhället råder det delade meningar om olika riskers hotfullhet och en divergens mellan allmänhetens upplevda risk och experternaskalkylerade dito verkar vara ett problem för många organisationer. Uppsatsen tar avstamp i hur organisationer hanterar ovan nämnda divergens och använder sig av en fallstudie av Socialstyrelsens hantering av fågelinfluensan för att besvara frågan. Den teoretiska utgångspunkten är nyinstitutionalismen och då främst begreppen frikoppling och beslutsrationalitet. Antagandet är att när organisationer ställs inför dilemmat att antingen framstå som effektiva eller rationella i sitt beslutsfattande blir lösningen att, omedvetet, frikoppla dessa från varandra. Slutsatserna av uppsatsen mynnar ut i ett konstaterat behov av frikoppling och att den, teorierna till trots, till viss del är medveten. Det ter sig oundvikligt att organisationen agerar på det viset eftersom omvärlden ställer helt oförenliga krav vilka bottnar i divergensen mellan upplevd och kalkylerad risk. Tolkningen av studien är att den situation med divergens som Socialstyrelsen ställts inför troligtvis är ett dilemma som mångaandra organisationer också måste hantera vare sig de är expertgrupper eller inte. Studien kan därför även underlätta förståelsen av andra organisationers handlande. Uppsatsen visar på ett samband mellan risk och frikoppling. Kärnan i problematiken är det klassiska dilemmat mellan att göra eller att inte göra

DATA QUALITY CONSEQUENCES OF MANDATORY CYBER DATA SHARING BETWEEN DUOPOLY INSURERS

Cyber attacks against companies are becoming more common as technology advances and digitalization is increasing exponentially. All Swedish insurance companies that sell cyber insurance encounter the same problem, there is not enough data to do good actuarial work. In order for the pricing procedure to improve and general knowledge of cyber insurance to increase, it has been proposed that insurance companies should share their data with each other. The goal of the thesis is to do mathematical calculations to explore data quality consequences of such a sharing regime. This thesis is based on some important assumptions and three scenarios. The most important assumptions are that there are two insurance companies forced to share all their data with each other and that they can reduce the uncertainty about their own product by investing in better data quality. In the first scenario, we assume a game between two players where they can choose how much to invest in reducing the uncertainty. In the second scenario, we assume that there is not a game, but the two insurance companies are forced to equal investments and thus have the same knowledge of their products. In the third scenario, we assume that the players are risk averse, that is, they are not willing to take high risk. The results will show how much, if any, the insurance companies should invest in the different scenarios to maximize their profits (if risk neutral) or utility (if risk averse). The results of this thesis show that in the first and second scenario, the optimal profit is reached when the insurance companies do not invest anything. In the third scenario though, the optimal investment is greater than zero, given that the companies are enough risk averse

DATA QUALITY CONSEQUENCES OF MANDATORY CYBER DATA SHARING BETWEEN DUOPOLY INSURERS

Cyber attacks against companies are becoming more common as technology advances and digitalization is increasing exponentially. All Swedish insurance companies that sell cyber insurance encounter the same problem, there is not enough data to do good actuarial work. In order for the pricing procedure to improve and general knowledge of cyber insurance to increase, it has been proposed that insurance companies should share their data with each other. The goal of the thesis is to do mathematical calculations to explore data quality consequences of such a sharing regime. This thesis is based on some important assumptions and three scenarios. The most important assumptions are that there are two insurance companies forced to share all their data with each other and that they can reduce the uncertainty about their own product by investing in better data quality. In the first scenario, we assume a game between two players where they can choose how much to invest in reducing the uncertainty. In the second scenario, we assume that there is not a game, but the two insurance companies are forced to equal investments and thus have the same knowledge of their products. In the third scenario, we assume that the players are risk averse, that is, they are not willing to take high risk. The results will show how much, if any, the insurance companies should invest in the different scenarios to maximize their profits (if risk neutral) or utility (if risk averse). The results of this thesis show that in the first and second scenario, the optimal profit is reached when the insurance companies do not invest anything. In the third scenario though, the optimal investment is greater than zero, given that the companies are enough risk averse